Post on 07-Jun-2020
P l Uhl | Pl tf S it St t i tAdvanced Persistent ResponsePeleus Uhley | Platform Security Strategist
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
Outline
Background Analyzing threatAnalyzing threat Finding resources
Planning a response Planning a response Tool release Conclusion
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 2
Advanced Persistent Threat
“usually refers to a group with both the capability and the intent to persistently and p y p yeffectively target a specific entity”- Wikipedia- Wikipedia
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 3
Flash Player 0-days
4 SWF in PDF attacks
3 XSS attacks
4 SWF in Office document attacks
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 4
Flash Player 0-days – Alternative measurement
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 5
Advanced Persistent Response
The strategy necessary to inhibit or reduce a malicious entity or entities’ capabilities to y prepeatedly conduct attacks leveraging a specific platform or against a specific target.p p g p g
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 6
Information Gathering
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 7
Know your adversary
Who are they? Why are they upset?Why are they upset? Does it change over time?
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 8
CVE-2011-0609
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 9
CVE-2011-0611
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 10
yuange1975
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 11
Beware of false positives
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 12
Technical Analysis
Their sources? Their targets?Their targets? Their skill?
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 13
Data Source Analysis
Series of attacks based on SWFs from flashandmath.com
Indicates the areas of code that are being attacked Learn from mimicking their approachLearn from mimicking their approach
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 14
Targets
Reports from government customers
Document-based spearDocument based spear phishing attacks
Most exploits are never widely deployedwidely deployed
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 15
Payload Analysis
Symantec studied payloads from 2006 -> 2011
Attacks grouped based on the malware installed (Sykipot)(Sykipot)
L d & t l b t t Large command & control botnet
Mostly used zero-day attacks within several different products to install
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 16
Sykipot
“Thus, the Sykipot attackers are likely to be an organized and skilled group of individuals. g g pGiven their persistence and their long-running campaigns, the attackers are likely to have p g , yconsistent funding for their efforts.”
- Symantec Blog, December 08, 2011
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 17
Changes in the field
A change in targets will require changes to security feature strategy
Exploit kits recently started using SWFs.Exploit kits recently started using SWFs.
E l it kit tt k th t t l t 2 th Exploit kits use attacks that are at least 2 months old
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 18
Effect of exploit kits
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 19
Everything is relative
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 20
Evolution of attacks
Attackers gain skill with practice
Hackers will utilize published research
Makes signature development more difficult
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 21
CVE-2009-1862
Simple bit flip of existing SWF from the web A second SWF was used for the heap sprayA second SWF was used for the heap spray Both SWFs were inside a PDF
Flash was a means to an end Flash was a means to an end
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 22
2010 Improvements
Eventually moved to a single file approach
Parent SWF
Initialization& Heap Spray
Crashing Child SWFCrashing Child SWF
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 23
Trying new research
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 24
CVE-2011-2110
Dynamically passing obfuscated data
main.swf?info=02E6B1525353CAA8AD555555AD31B3D73034B657AA31B4B5AFB5B2B537AF55543549AEB550AC55303736B337AF51D35271B4B5AFB5B2B537AF55543549AEB550AC55303736B337AF51D3527B7AF4C66B7E
Targeting specific versions
if ((((((Capabilities.version.toLowerCase() == "win 10,3,181,14")) || ((Capabilities version toLowerCase() == "win 10 3 181 22")))) ||((Capabilities.version.toLowerCase() == win 10,3,181,22 )))) || ((Capabilities.version.toLowerCase() == "win 10,3,181,23")))){
Return orientated programming
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 25
Conversion to logic based attacks
CVE-2011-2107, CVE-2011-2444 & CVE-2012-0757 were XSS attacks
Required ActionScript programming knowledge Trial & error methods used to identify vulnerabilitiesTrial & error methods used to identify vulnerabilities
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 26
Overall Advancements
• Dumb fuzzing
2009 • Brute force memory tricks
2010• Modularizing code• Experimenting with research techniques
• Full language understanding• ROP exploitation
2011ROP exploitation
• Bypassing mitigation strategies
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 27
Resourcing a response plan
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 28
All you need is…
More time More moneyMore money More hardware
More people More people More…
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 29
Balancing the load
Security teams should focus on larger, high value projects
Any developer should be able to fix a software crash
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 30
Training
Minimum security training level for everyone
Everyone within the Flash Runtime team has at least a white belt security certificationleast a white belt security certification
B b lt j t ll th ti Brown belt projects allow the entirecompany to assist!
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 31
Adobe training results
60Zero Day Response Over Time
40
50
30
40
Zero Day Response Over
20
pTime
0
10
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 32
2008 2009 2010 2011
Make friends!
“It is easy enough to be friendly to one's friends. But to befriend the one who regards himself as your enemy is the quintessence of true religion The other is merereligion. The other is mere business.”
― Mahatma Gandhi
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 33
Types of friends
Researchers Business partnersBusiness partners Defensive software companies
Victims of attacks Victims of attacks Tool vendors
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 34
Planning a response strategy
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 35
Secure Product Lifecycle?
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 36
Goals
1. Increase the difficultly of exploitation.y p
2. Limit the window of opportunity for use.
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 37
Killing bugs
VS
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 38
Fuzzing at scale
Partnered with Google on FP fuzzing effort 2,000 CPUs2,000 CPUs Corpus distillation of 2 TB of SWFs into 20,000 files
(1 week)(1 week) 3 weeks of fuzzing
Bit fli i h Bit flipping approach 1 fuzzing guru (Tavis Ormandy)
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 39
“Patching at scale”
400 files distilled into 80 unique issues Used fuzzers to reproduce and classify issuesUsed fuzzers to reproduce and classify issues Authored app to auto-file bugs
Created tiger team to address the issues Created tiger team to address the issues Majority of issues addressed within 60 days
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 40
Fuzzing results
!exploitable
510
6
ExploitableProbably ExploitableUnknownProbably Not Exploitable
59
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 41
Alternative measurement
“This is completely unfair competition and unfair practices vis-a-vis other securityunfair practices vis a vis other security researchers (or fuzzer enthus). …You guyz killed couple of my bugs ”You guyz killed couple of my bugs.
- TestFuzzer August 16 2011TestFuzzer, August 16, 2011
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 42
Lessons learned
Bugs were spread across the entire code base
Eliminated some low hanging fruit
1 code change per 12,600 CPU hours (1.44 years)
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 43
Using fuzzing as hints
1 good dev == CPU years of fuzzing effort
Fuzzing can provide hints of where to focus code review.review.
F d l th th b fi i Focus on code cleanup rather than bug fixing.
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 44
And, of course…
There is always one more to find…
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 45
Integrating security defenses
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 46
Holistic mitagations
Work smarter, not harder.
More effective at deterring attacks
Require experienced resources
Require longer periods of development time.q g p p
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 47
Standard White Background Bullet Slide
JavaScript blacklist Improved updaterImproved updater Reader X Sandbox
Dedicated team for over 1 year of effort Dedicated team for over 1 year of effort Additional engineers for misc. support External consultants
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 48
Cause and effect
Reader JavaScript blacklist introduced
PDF O l tt kPDF-Only attack
PDF w/ SWF attack
PDF attacks switch from JS to SWF
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 49
Effect of sandboxing
Reader X sandbox launched
CVE-2009-1862
CVE-2010-3654
CVE-2011-0611
CVE-2010-1297
CVE-2011-0609
CVE-2011-0627
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 50
Sandboxing in Flash Player
Currently sandboxed in Chrome Firefox currently in betaFirefox currently in beta Researching:
Chrome pepper sandbox Chrome pepper sandbox IE improvements
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 51
Other minor improvements
Safe unlinking in garbage collection Random function alignmentRandom function alignment Random NOP insertion
Constant folding* Constant folding*
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 52
Other minor improvements
Safe unlinking in garbage collection Random function alignmentRandom function alignment Random NOP insertion
Constant folding* Constant folding*
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 53
Updating end-users
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 54
Update Goals
Work with AV and IDS vendors to create accurate signatures that will protect end-users until they get the patch (MAPP)
Reduce the time to update the majority of end-users to minimize the window of opportunity for the exploit
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 55
We have a background updater!!
New updater will allow us to do silent updates for zero-day patches
Updates both IE and open-source browsers
Complete technical details will be posted with the launch!
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 56
Handling response
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 57
Incident response strategies
Be prepared to triage duplicates, triplicates, quadruplicates, etc….
Set a response timeline goal Have a regular update scheduleHave a regular update schedule Be willing to shift launch dates
A d h t l And have tools….
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 58
Adobe SWF Investigator
Open-source AIR application View SWF tags, disassembly and binaryView SWF tags, disassembly and binary Test AMF services and check for XSS
Inspect LSOs and settings files Inspect LSOs and settings files Execute the SWF in various contexts
Available TODAY!!!!!
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 59
Summary
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 60
Advanced Persistent Response
Understand your threats
Advanced, holisitic security features are needed to ward off future threats
Need to utilize both internal and external resources to accomplish goals
Start early because the best defenses require time to develop
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 61
Looking ahead
Mac auto-updater
Improved IE Sandboxing
Yet more fuzzing
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 62
References
Security portal: (customer & channel partners) http://adobe.com/security
Advisories and updates: http://www.adobe.com/support/security/
ASSET blog: http://blogs.adobe.com/asset
Adobe Security on Twitter: @AdobeSecurity
PSIRT blog: http://blogs.adobe.com/psirt
Documentation Wiki: http://learn.adobe.com/wiki/display/security/Home
Adobe Security on Twitter: @AdobeSecurity
Peleus Uhley on Twitter: @PeleusUhley
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 63
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.